02-05-2020 09:02 AM - edited 02-05-2020 09:14 AM
Hello
i have a problem with one vpn link.( i have 5 vpn link in this router 4 is working fine )
i use nat 4500,500,50 ports nated on my router ISP to cisco router . my 4 links vpn are working fine.
the vpn link stop working after sometime randomly time.
that can take 3 hours that can take 1 day....,
when i t type
show crypto ipsec sa i have multiple results :
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.116.0/255.255.255.0/0/0) current_peer 51.x.x.119 port 36350 PERMIT, flags={origin_is_acl,} #pkts encaps: 267326, #pkts encrypt: 267326, #pkts digest: 267326 #pkts decaps: 200817, #pkts decrypt: 200817, #pkts verify: 200817 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x41F4CCC5(1106562245) transform: esp-des esp-md5-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 81, flow_id: Onboard VPN:81, sibling_flags 80000040, crypto map tthmap sa timing: remaining key lifetime (k/sec): (4304754/58523) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xCE5D1A7A(3462208122) transform: esp-des esp-md5-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 82, flow_id: Onboard VPN:82, sibling_flags 80000040, crypto map tthmap sa timing: remaining key lifetime (k/sec): (4303844/58523) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: local crypto endpt.: 192.168.100.1, remote crypto endpt.: 51.x.x.119 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Vlan200 current outbound spi: 0xBB18678E(3138938766) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x34418B72(876710770) transform: esp-des esp-md5-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 83, flow_id: Onboard VPN:83, sibling_flags 80000040, crypto map ftthmap sa timing: remaining key lifetime (k/sec): (4222155/84434) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xBB18678E(3138938766) transform: esp-des esp-md5-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 84, flow_id: Onboard VPN:84, sibling_flags 80000040, crypto map ftthmap sa timing: remaining key lifetime (k/sec): (4222130/84434) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: ROUTERVPN#
all my links have 4500 as port, in this output one vpn link have 36350 as a port ? and this is the link who work randomly.
current_peer 51.x.x.119 port 36350
i dont know why i have this long output for this link ?
i have multiple sa timing also
routervpn#show crypto ipsec sa | include local ident|remote ident|lifetime local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.xx.0/255.255.255.0/0/0) sa timing: remaining key lifetime (k/sec): (4367252/38359) sa timing: remaining key lifetime (k/sec): (4367355/38359) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.xxx.0/255.255.255.0/0/0) sa timing: remaining key lifetime (k/sec): (4314159/38743) sa timing: remaining key lifetime (k/sec): (4313734/38743) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.xx.0/255.255.255.0/0/0) sa timing: remaining key lifetime (k/sec): (4329696/46875) sa timing: remaining key lifetime (k/sec): (4321129/46875) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.xxx.0/255.255.255.0/0/0) sa timing: remaining key lifetime (k/sec): (4199082/41259) sa timing: remaining key lifetime (k/sec): (4197429/41259) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.xxxx6.0/255.255.255.0/0/0) sa timing: remaining key lifetime (k/sec): (4304754/57652) sa timing: remaining key lifetime (k/sec): (4303844/57652) sa timing: remaining key lifetime (k/sec): (4222155/83563) sa timing: remaining key lifetime (k/sec): (4222109/83563) routervpn# routervpn#
pease find in attachement the whole file configuration .( head office ) 5 VPN configuration in this file
please can you help me to resolve this issue.
best regards.
Max
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: